• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Trouble getting pfsense + openvpn + edgerouter-x working

Scheduled Pinned Locked Moved General pfSense Questions
6 Posts 2 Posters 905 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rugggg
    last edited by Dec 2, 2018, 2:37 AM

    Been banging my head against a wall for a few days now attempting to set up a pfSense instance in a dell r210ii recently acquired. Goal is to run all traffic on home network through the pfSense box, with certain VLANs routing out to the vpn and some to the clearnet gateway.

    I've largely followed: https://nguvu.org/pfsense/pfsense-baseline-setup/

    I've checked and triple checked my configurations on pfSense and er-x.

    ISP is ATT U-Verse with a Pace 5268ac rox that only supports a "DMZ+" mode which is basically bridging.

    Using OpenVPN to connect to AirVPN and that connection is showing all green.

    Using the ER-X as a managed, vlan-aware switch behind the pfSense box, which is behind the ATT box(need ATT box to get service).

    I can not get any internet connectivity on the VPN interface (vlan 20).
    At points, connectivity has been present for clearnet(vlan30), but it has been inconsistent.
    I suspect that the issue is somewhere in my NAT rules, or the ATT box is a POS and is ruining all my hopes and dreams.

    Thanks for help in advance

    NAT
    0_1543718142948_NAT.png
    WAN Firewall rules
    0_1543718131284_wan_firewall.png

    LAN Firewall

    VLAN 20 VPN Firewall rules
    0_1543718121140_vl20_firewall.png

    VLAN 30 Clearnet rules
    0_1543718110759_vl30_firewall.png

    VPN_WAN interface firewall rules
    0_1543718104149_vpn_wan_firewall.png

    Interfaces
    0_1543718095526_interfaces.png

    EdgeRouter-X Config:
    0_1543718090373_erx_config.png

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Dec 2, 2018, 5:46 PM

      Your pfSense config looks OK, at least the parts we can see. Your DNS setup there may not be good be you should be able to ping out by IP at least from the VLAN subnet.

      I'd have to guess your edge router config is bad but it's the first time I'm ever looking at one.
      What exactly is it supposed to be doing? How is it connected?

      Steve

      R 1 Reply Last reply Dec 3, 2018, 8:44 PM Reply Quote 1
      • R
        rugggg @stephenw10
        last edited by Dec 3, 2018, 8:44 PM

        @stephenw10 I neglected to mention that I am able to ping out, dns is fine it seems.

        The edgerouter should be acting as a vlan aware switch, from what I've seen this is possible with the erx.

        Eth 1,2,3,4 should be configured as a part of switch 0. Leaving eth0 for connecting for confirmation for now.

        Eth1 - trunk to pfsense box
        Eth2 - hardwired VPN (vlan 20) port
        Eth3 - hardwired clearnet port (vlan 3)
        Eth4 will be going to an access point, but have not set that up yet.

        It's quite possible that the erx is the issue, the configuration is a little weird for me.

        Anything on eth2 from the client machine should be tagged as vlan20, same for vlan 30 and eth3.

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Dec 4, 2018, 12:09 AM

          Hmm, well reading this it does appear to be correct at least in terms of the VLAN config.

          Do you have DHCP enabled on those interfaces in pfSense? And are clients connected to the edgerouter pulling an IP in the correct subnet? If so the VLAN setup is probably correct.

          In which case can we see your outbound NAT rules?

          Steve

          R 1 Reply Last reply Dec 4, 2018, 2:15 AM Reply Quote 0
          • R
            rugggg @stephenw10
            last edited by Dec 4, 2018, 2:15 AM

            @stephenw10 Yup, dhcp is good, clients get an ip in the correct subnet.

            Here's the outbound NAT:
            0_1543889702782_outbound_nat.png

            Starting to think I need to just bypass this ATT box...

            1 Reply Last reply Reply Quote 0
            • S
              stephenw10 Netgate Administrator
              last edited by Dec 4, 2018, 3:12 PM

              Hmm, OK. That should work.

              I'd probably run some packet captures on WAN the OpenVPN interface when trying to ping out to IPs that shoulkd be reachable over each from VLAN 20. See what traffic is actually going where and what replies, if any, are returning.

              Steve

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received